Resubmissions
14/02/2025, 03:19
250214-dt85hazpgj 815/07/2024, 12:22
240715-pj7dpszhrl 814/07/2024, 17:11
240714-vqpp5asckh 814/07/2024, 17:07
240714-vmz2pasbjb 1014/07/2024, 16:55
240714-ve3gvaygnq 801/05/2024, 09:05
240501-k2a11abe8v 1024/03/2023, 19:33
230324-x9t53aba7y 10Analysis
-
max time kernel
599s -
max time network
580s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
01/05/2024, 09:05
General
-
Target
Replace.exe
-
Size
34.8MB
-
MD5
fd5cd14325c51ecab6a57d1d665f8852
-
SHA1
ea16aa0f197210437733c63a42a8f1dd6442d753
-
SHA256
d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1
-
SHA512
9a2e4c8baa01fbafe6968905daeb8d3b7eb62c09d1d7584e973ad1c23d964093e161a51a7390dfaa598d2657f45ca17bf00b5055aeaf0441f875ddb364741d71
-
SSDEEP
786432:i9hj60qHOBbQcVM3sct6C2ubdsUeGXV4yQnb+LQgRkrm12PYfrB:i9kH+o5sG2ysbhrmka
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Replace.exe"C:\Users\Admin\AppData\Local\Temp\Replace.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\wsc3F99.tmp",Start verpostfix=bt2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wns4E40.tmpwscsu.exe /S /VERPOSTFIX=bt3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\service.js"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table6⤵
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4B892217\run.exe.\run.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5e9ded10dff258f6522fe9079ed3319ca
SHA1b0127ea7675f6359bfa80a7bf6282bd1c989b405
SHA256ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780
SHA512d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de
-
Filesize
6.6MB
MD55f40521d2e1082fe1c734610c4a83911
SHA186d54874cc8976cdb75a9dc8dcd817af50837796
SHA25679ac7ae94231a392d27f303418e305a60c4194dbbe143c5deffc977c7b2e7a78
SHA512ef2b54b46844cfb13cfdef6271e2a8b4e646d2e31ca55229e5c76ca90c649895533bc8fb83c4d50dd3721abb2a5e4c5ee32df5c4540e1c14498a5e9b550d3189
-
Filesize
186KB
MD542fb0fa52c2e0bbbdf379c1aba97d12e
SHA1164c4639d99a7dcfacf29da930ca4dfef3621a11
SHA2563db6ffa48cae2dbdc68f9bf5ee75ba5b7abd4f923c5fc6741477916957909071
SHA512b9e96ba85508bb44f49dbf92185157db149fab2a6245a2d39ce49da5ae14617928f44cf8ee2bcb8c9dd4060082cc4b2b84ea6ff7659ce15caa8d9da02c46c936
-
Filesize
2B
MD56920626369b1f05844f5e3d6f93b5f6e
SHA1edfb92a5be2a31a47d117f6c1530e1cebe1b4963
SHA2565e73d6d7edd38daeae9f10721987e301e4d4b5421e88eb17063ac5a41b168273
SHA5120b307a2eca21778e3fca2d855f0e12ff10726fe276bedbf70b40e10f21de839922384d494b67d65a21d4fa15d8642a84b6c39b15ab7e91f3b9555a53ece4f882
-
Filesize
34.8MB
MD5d77c3ef3efa7e38ef91137466eee801b
SHA10b6ce4b03f43c2a7290f95bfbbe9107298efeaef
SHA25691c2295f354b0616aa6481708248f6ce35dbe9292901464fc6bf3a22522ccb2f
SHA5127c0171509814f7e5f24b2a9d53a10ab282586ec56bcdedc2deb2ba1aa2b4d9edade6d6d753ca80fb65d147597bfd4ac9f30e330e88c695e72c913ff3ab224750
-
Filesize
6.7MB
MD57a506a2e92bc66a9f64c2333a815e97a
SHA1a123f6c070f4258c481cb0b6c2b5d1403463e2fa
SHA256c9daca7de1b623867aee943a1d508573841f2584ffa91aaaf09de2a883d2733f
SHA5128bdec3839ca8e0c72dcb76455ad1585264dcef4150d90e0299b477f99590a1b98ac0bd377985ac2e8e2c15f071588ad821650fc200e0f65ec4583f3f82582e30
-
Filesize
6KB
MD541e689a7859429d628c34a82bcbb1187
SHA1f435c4225fc00b3ce4543b812731a65d3722bdc3
SHA256252dd587c652e9939432bd8b5574590c4a8db64660bc753f5490a472703f5c3a
SHA5126a8f76f4d2eeb78df1c48f43c8d31f4510f2ba8da71fbb93d88627eba5f4cc74eb9aa12b7688d7fb62ed938fe2ac15bd2c060d6ad90e5b2c61114f74fcecec85
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB